RE: New Worm Named W32/Minda.a@mm

From: owentoby@WellsFargo.COM
Date: 09/19/01 

From: owentoby@WellsFargo.COM
Message-ID: <BFCC17728801D311A6A90001FA7EA1360B60B426@xcem-aztem-04.wellsfargo.com>
To: secmail@dirk.demon.co.uk, ScottM@cybear.com, mfossi@securityfocus.com, focus-ms@securityfocus.com
Subject: RE: New Worm Named W32/Minda.a@mm
Date: Wed, 19 Sep 2001 09:34:44 -0700

Be careful about deleting the admin.dll. There is a legitimate one loaded
by Front Page Server Extensions (why anyone would leave those on a
production server is beyond me, but that's another discussion). Compare
file dates and sizes with known good copies of this file, before you whack a
file needed by your webserver!

Toby

-----Original Message-----
From: Ian Macdonald [mailto:secmail@dirk.demon.co.uk]
Sent: Tuesday, September 18, 2001 2:45 PM
To: Scott Muelhberger; 'Marc Fossi'; Focus-MS
Subject: Re: New Worm Named W32/Minda.a@mm

Current thoughts here are

Delete All *.eml which has todays date
shutdown Web publishing services, and IIS Admin services
delete all admin.dll
install the IIS security rollup patch
reboot
delete the mmc.exe that is 56K in size

You can't delete mmc.exe while it is running, kill.exe from the NT resource
kit will not kill the executable so you need to reboot.
These steps seem to stop the attacks from being generated. I have also seen
alot of tftp files being generated, these should be deleted as well. This is
not the complete answer but it might stop the server from attacking

Ian

----- Original Message -----
From: "Scott Muelhberger" <ScottM@cybear.com>
To: "'Marc Fossi'" <mfossi@securityfocus.com>; "Focus-MS"
<focus-ms@securityfocus.com>
Sent: Tuesday, September 18, 2001 1:12 PM
Subject: RE: New Worm Named W32/Minda.a@mm

> Anyone know how to clean this virus permanently off of servers?
>
> Thank You,
>
> Scott
>
>
>
> -----Original Message-----
> From: Marc Fossi [mailto:mfossi@securityfocus.com]
> Sent: Tuesday, September 18, 2001 12:01 PM
> To: Focus-MS
> Subject: New Worm Named W32/Minda.a@mm
>
> W32/Minda.a@mm is the working name for it.
>
> Marc Fossi, MCSE
> SecurityFocus
> www.securityfocus.com
>
>
>

Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)
  • RE: Penetration test of 1 IP address
    ... You could use a whole sleth of tools on some server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities to SQL injection, ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)